Security policies outline acceptable usage, personnel responsibilities, and data protection guidelines. They define separation of duties, background checks, data classification, and incident response plans. Implementing security awareness training and regularly reviewing policies helps ensure compliance and mitigate risks from unauthorized access or data loss.

1. Chapter 11
Implementing Policies
to Mitigate Risks
CompTIA Security+
Get Certified Get Ahead
1

2. Introduction
• Exploring security policies
• Protecting data
• Responding to incidents
• Providing training

3. Exploring
Security
Policies
• Security policies
– Written documents that
identify a security plan
• Security controls enforce security
policies
– Technical, administrative, physical

4. Exploring
Security
Policies
• Acceptable use policy
– Defines proper system usage
– Users often required to read and sign
an AUP when hired and periodically
• Mandatory vacations
– Require employees to take time away
from the job
– Helps reduce fraud and discover
malicious activities

5. Personnel
Policies
• Separation of duties
– Prevents any single person or entity
from being able to complete all the
functions of a process
– Divides tasks between employees
• Job rotation
– Require employees to change roles on a
regular basis
– Helps ensure that employees cannot
continue with fraudulent activity
indefinitely

6. Personnel
Policies
• Clean desk policy
– Requires users to organize their areas
– Reduces risk of possible data theft
– Reminds users to secure sensitive data
– May include a statement
about not writing down
passwords

7. Personnel
Policies
• Background check
– Varies based on job
• Non-disclosure agreement (NDA)
– NDAs prohibit data sharing
• Exit interview

8. Personnel
Policies
• Onboarding
– Offboarding
• Policy violations
– Adverse actions generally dependent
on violation

9. Other
General
Security
Policies
• Social media
• Banner ads and malvertisements
• Social networking

10. Agreement
Types
• Interconnection security
agreement (ISA)
– Ensures strict guidelines protect data
while in transit
• Service level agreement (SLA)
– Agreement that stipulates performance
expectations
• Memorandum of understanding
(MOU)
– Defines responsibilities of each party
• Business partners agreement
– Details relationship

11. Protecting
Data
• Information classification
– Helps ensure users understand the
value of data
– Helps protect sensitive data
– Classifications defined in security policy
• Public data
– Confidential data
– Proprietary data
– Private data

12. Protecting
Data
• Data labeling and handling
– Helps ensure personnel apply the
proper security controls to protect
information
– Physical labels
– Digital labels

13. Data
Destruction
& Media
Sanitization
• Purging
• File shredding
• Wiping
• Erasing and overwriting
• Burning
Consider SSDs

14. Data
Destruction
& Media
Sanitization
• Paper shredding
• Pulping
• Degaussing
• Pulverizing

15. Data
Destruction
& Media
Sanitization
• Storage and retention policies
– Identify where data is stored
– Identify how long it is retained
– Retention policies
• May limit a company’s exposure to legal
proceedings
• May reduce the amount of labor required to
respond to court orders

16. Protecting
Data
• Personally identifiable information
(PII)
– Includes information such as:
• Full name, birthdate, biometric data,
identifying numbers
– Requires special handing
– Employees should be trained not to
give out PII
– Many laws mandate the reporting of PII
data losses
• Personal Health Information (PHI)
– PII that includes health information
– Includes information on employee
health plans

17. Protecting
Data
• Personally identifiable information
(PII)
– Includes information such as:
• Full name, birthdate, biometric data,
identifying numbers
– Requires special handing
– Employees should be trained not to
give out PII
– Many laws mandate the reporting of PII
data losses
• Personal Health Information (PHI)
– PII that includes health information
– Includes information on employee
health plans

18. Legal and
Compliance
Issues
• Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
• Gramm-Leach Bliley Act (GLBA)
• Sarbanes-Oxley Act (SOX)
• General Data Protection
Regulation (GDPR)

19. Data Roles and
Responsibilities
• Owner
– Overall responsibility
• Steward/custodian
– Handles routine tasks
• Privacy officer
– Responsible for ensuring compliance

20. Responding to
Incidents
• Incident
– An adverse event or series of events
– Can negatively affect the
confidentiality, integrity, or availability
of data or systems
• Examples
– Attacks
– Release of malware
– Security policy violations
– Unauthorized access of data
– Inappropriate usage of systems

21. Incident
Response Plan
• Incident types
• Cyber-incident response teams
• Roles and responsibilities
• Escalation
• Reporting requirements
• Exercises

22. Incident
Response
Process
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons learned

23. Basic Forensic
Procedures
• Overview
– Collect evidence
– Control evidence
– Evaluate evidence

24. Basic Forensic
Procedures
• Order of volatility
– Collect most volatile data first
– Collect least volatile data last
– RAM is volatile
• Lost when a computer is
powered down
– Data in RAM includes
• Processes and applications
• Data recently accessed
by a user
Least to Most Volatile
• Cache memory
• Regular RAM
• Swap or paging file
• Hard drive data
• Logs stored on
remote systems
• Archived media

25. Data
Acquisition
• Capture images
– Forensic image
• Bit-by-bit copy of the data
• Does not modify the data during the capture
• Experts capture an image before analysis
• Analysis can modify the data
• Original data is preserved to maintain its
usability as evidence
• Forensic experts analyze the image or image
copy
• Original kept in an unmodified state

26. Data
Acquisition
• Take hashes
– Hashing provides integrity for captured
images
– Includes images of memory and disk
drives
• Network traffic and logs
– Can identify computers and some of
their activity
– MAC address can identify a computer
– More definitive than an IP address or
name

27. Data
Acquisition
• Capture video
– CCTV
– Reliable proof
• Record time offset

28. Data
Acquisition
• Screenshots
– Print screen
• Witnesses
– Ask, ask, ask

29. Data
Acquisition
• Chain of custody
– Provides assurances that evidence has
been controlled and handled properly
– Documents who handled the evidence
and when
• Legal hold
– Response to a court order

30. Data
Acquisition
• Active logging
– For intelligence gathering
– Increases logging after an incident
• Track man hours and expense
– Useful for budgets and assessments

31. Providing
Training
• Role-based Training
– Targeted to users based on their roles
• Data owner
• System administrator
• System owner
• User
• Privileged user
• Executive user
• Incident response team

32. Providing
Training
• Continuing education
– Not a one-time event
• Training and compliance issues
– Often needed to comply with laws,
best practices, and standards
– Comply with PII protection issues
– PCI DSS for credit cards

33. Troubleshootin
g Personnel
Issues
• Insider threat
• Personal email
• Policy violation
• Social engineering
• Social media

34. Chapter 11
Summary
• Exploring security policies
• Protecting data
• Responding to incidents
• Providing training